This section explains how to allow passwordless SSH between Samba AD joined Linux hosts (or Passwordless SSH using Putty from Windows machines joined to the same domain).

This section assumes your joined machine's krb5.conf files are appropriately configured (usually this happens automatically when they are joined) and are set to point to a suitable krb5 keytab. This is generated by running "net ads keytab create" (on the joined machine), which will usually put this in a suitable place for kerberos to find, by default /etc/krb5.keytab. If not, you may need to add "default_keytab_name" entry in you krb5.conf to point to the generated /etc/krb5.keytab.

Also on DNS, we require working forward and reverse entries for the SSH servers. See the Apache Single Sign-On section for how to achieve this.

for the console based logins and SSH failback to password to generate a Kerberos TGT ticket (as in if the passwordless login fails due to not having a suitable ticket on the calling machine). This is essential if using things like NFSv4 with Kerberos Authentication.

To also allow Putty SSH logins to be passwordless from a Windows machine joined to the same domain as your Linux host requires a reasonably up-to-date version of Putty. Then all that needs set for a particular session are: under the Connection -> SSH -> Auth -> GSSAPI, select "Attempt GSSAPI authentication (SSH-2 only)" and "Allow GSSAPI credential delegation". And maybe under Connection -> Data , select "Use system username" if desired.

It is desirable to set "Trust this computer for delegation to any service (Kerberos only)" under the "Delegation" tab in Users and Computers for the computer objects you are SSHing into. This allows your kerberos tickets to pass to the machine you are SSHing into. Through this you can use Kerberized services on the system you have SSH'd into, for example SSHing into yet another computer without a password.